start requiring kubelet trust

bindata/v3.11.0/kube-apiserver/defaultconfig.yaml

@@ -84,8 +84,7 @@ imagePolicyConfig:
   externalRegistryHostname: ""
   internalRegistryHostname: docker-registry.default.svc:5000
 kubeletClientInfo:
-  # empty until it's properly secured
-  ca: ""
+  ca: /etc/kubernetes/static-pod-resources/configmaps/kubelet-serving-ca/ca-bundle.crt
   certFile: /etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.crt
   keyFile: /etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.key
   port: 10250

pkg/operator/resourcesynccontroller/resourcesynccontroller.go

@@ -21,25 +21,29 @@ func NewResourceSyncController(
 		v1helpers.CachedConfigMapGetter(kubeClient.CoreV1(), kubeInformersForNamespaces),
 		eventRecorder,
 	)
+
 	if err := resourceSyncController.SyncConfigMap(
 		resourcesynccontroller.ResourceLocation{Namespace: operatorclient.TargetNamespace, Name: "etcd-serving-ca"},
 		resourcesynccontroller.ResourceLocation{Namespace: operatorclient.EtcdNamespaceName, Name: "etcd-serving-ca"},
 	); err != nil {
 		return nil, err
 	}
+
 	if err := resourceSyncController.SyncSecret(
 		resourcesynccontroller.ResourceLocation{Namespace: operatorclient.TargetNamespace, Name: "etcd-client"},
 		resourcesynccontroller.ResourceLocation{Namespace: operatorclient.EtcdNamespaceName, Name: "etcd-client"},
 	); err != nil {
 		return nil, err
 	}
+
 	// this configmap holds the cert used to verify SA token JWTs created by the bootstrap kube-controller-manager
 	if err := resourceSyncController.SyncConfigMap(
 		resourcesynccontroller.ResourceLocation{Namespace: operatorclient.TargetNamespace, Name: "initial-sa-token-signing-certs"},
 		resourcesynccontroller.ResourceLocation{Namespace: operatorclient.GlobalUserSpecifiedConfigNamespace, Name: "initial-sa-token-signing-certs"},
 	); err != nil {
 		return nil, err
 	}
+
 	// this configmaps holds the certs used to verify the SA token JWTs created by the kube-controller-manager-operator
 	if err := resourceSyncController.SyncConfigMap(
 		resourcesynccontroller.ResourceLocation{Namespace: operatorclient.TargetNamespace, Name: "kube-controller-manager-sa-token-signing-certs"},
@@ -56,6 +60,7 @@ func NewResourceSyncController(
 	); err != nil {
 		return nil, err
 	}
+
 	// this secret contains the serving cert/key pair for the kube-apiserver
 	// TODO this will logically become two secrets: one for the ELB/default, another for the loopback and service network
 	if err := resourceSyncController.SyncSecret(
@@ -72,13 +77,15 @@ func NewResourceSyncController(
 	); err != nil {
 		return nil, err
 	}
+
 	// this ca bundle contains certs used by the kube-apiserver to verify client certs
 	if err := resourceSyncController.SyncConfigMap(
 		resourcesynccontroller.ResourceLocation{Namespace: operatorclient.GlobalMachineSpecifiedConfigNamespace, Name: "kube-apiserver-client-ca"},
 		resourcesynccontroller.ResourceLocation{Namespace: operatorclient.TargetNamespace, Name: "client-ca"},
 	); err != nil {
 		return nil, err
 	}
+
 	// this ca bundle contains certs provided by the kube-apiserver to verify aggregator client certs
 	if err := resourceSyncController.SyncConfigMap(
 		resourcesynccontroller.ResourceLocation{Namespace: operatorclient.GlobalMachineSpecifiedConfigNamespace, Name: "kube-apiserver-aggregator-client-ca"},
@@ -87,5 +94,13 @@ func NewResourceSyncController(
 		return nil, err
 	}
 
+	// this ca bundle contains certs that can be used to verify a kubelet
+	if err := resourceSyncController.SyncConfigMap(
+		resourcesynccontroller.ResourceLocation{Namespace: operatorclient.GlobalMachineSpecifiedConfigNamespace, Name: "kubelet-serving-ca"},
+		resourcesynccontroller.ResourceLocation{Namespace: operatorclient.TargetNamespace, Name: "kubelet-serving-ca"},
+	); err != nil {
+		return nil, err
+	}
+
 	return resourceSyncController, nil
 }